Date: Wed, 18 Aug 2004 17:56:59 +0200 From: Tommy K <tommy@berlin.homeunix.com> To: probsd org <probsdorg@yahoo.com> Cc: freebsd-security@freebsd.org Subject: Re: chfn, date, chsh INFECTED according to chkrootkit Message-ID: <20040818155659.GE8241@berlin.homeunix.com> In-Reply-To: <20040818121102.95460.qmail@web52402.mail.yahoo.com> References: <20040818121102.95460.qmail@web52402.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, i have written the author of chkrootkit this mail. Tommy On Fri, Jul 02, 2004 at 01:20:50PM +0200, Tommy K wrote: > Hello, > > i have tested chkrootkit on many FreeBSD 4.10** maschines and all of the > tested machines have the same INFECTED things. > > I think that is a bug in chkrootkit > > <snip> Yes, you right. I will fix it in the next version. Thanks a lot for you bug report and interest in chkrootkit, ./nelson -murilo > # chkrootkit > ROOTDIR is `/' > Checking `amd'... not infected > Checking `basename'... not infected > Checking `biff'... not infected > Checking `chfn'... INFECTED > Checking `chsh'... INFECTED > Checking `cron'... not infected > Checking `date'... INFECTED > Checking `du'... not infected > Checking `dirname'... not infected > Checking `echo'... not infected > Checking `egrep'... not infected > Checking `env'... not infected > </snip> > > Hopefully it could help you! > > Regards Tommy > > -- > Das B> Key fingerprint = BFED 7E4C 8B67 64C8 B210 89D1 5678 1A02 7354 > DFB5 > > Thomas Kamann | Auszubildener - Anwendungsentwicklung On Wed, Aug 18, 2004 at 05:11:02AM -0700, probsd org wrote: > I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and > noticed that chfn, date, and chsh showed as being > infected. I remember reading post from the past that > right now chkrootkit is giving alot of false > positives, so I suspected that these 3 binaries are > not bad. > > However, to be on the safe side, I deleted the 3 > binaries, removed /usr/src and did a 'make world' to > 4.10-STABLE. > > But, chfn, cfsh, and date are stilling showing as > infected. > > Is my assumption that I am seeing a false positive > correct, or anyone know of an exploit that would > affect these 3 binaries ( and even after a 'make > world' from clean src )? > > Michael > > > > > > > __________________________________ > Do you Yahoo!? > New and Improved Yahoo! Mail - 100MB free storage! > http://promotions.yahoo.com/new_mail > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Das Büro am Draht GmbH | Blücherstraße 22 | D-10961 Berlin http://www.dasburo.com | http://tom.dasburo.com Key fingerprint = BFED 7E4C 8B67 64C8 B210 89D1 5678 1A02 7354 DFB5 Thomas Kamann | Auszubildener - Anwendungsentwicklung
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040818155659.GE8241>